Human Factors in Information Security
暂无分享,去创建一个
Some organizations view "technical solutions" as the immediate answer to their information security problems. This attitude is promoted by several suppliers of you guessed it those very same “technical solutions”. Don’t get me wrong: technology-based information security products such as firewalls, antivirus software, VPNs and SIEMs are valuable weapons in the security manager’s armory but there are severe drawbacks to a pure-play technological approach: • Firstly, technology is fallible. Despite the best efforts of the software quality engineering movement, hackers, testers and users continue to find unchecked buffers, unexpected exceptions, backdoors and other gross vulnerabilities in commercial and in-house developed software. If anything, they are being discovered and exploited at an increasing rate, despite the enormous investment in secure coding practices and system security testing. This problem is compounded by the complexity of IT systems. Organizations that employ multi-layered security have the right idea but only the naïve would assume that every layer of armor is perfect. Worse still, ever since mediaeval days, attackers have been known to bypass the obvious castle defenses by taking an alternative approach – tunneling or undermining the walls for instance, or surrounding and blockading the castle in a war of attrition. Alternative attack vectors or modes are very much in vogue today, so . • Secondly, very few organizations truly understand their information security problems in sufficient detail to even specify appropriate technical solutions. Typically, they recognize the need for standard information security packages (such as antivirus software) to address individual concerns, but seldom have they a comprehensive view of their requirements as a whole. They buy "plug and play" firewalls with no regard to monitoring the security alarms, updating attack signatures, or responding to new forms of network traffic. They virus-scan emails while ignoring USB memory sticks, JavaScript, DNS and other more exotic attacks. • Thirdly, the very term “technical solution” almost always implies significant expense. Bespoke security technology is particularly costly, whilst standard off-the-shelf packages are often suboptimal and of course offer little competitive advantage.